Use alternative serializer

cvonkleist / encrypted_cookie

AES-128 encrypted session cookies for Rack (and Sinatra and other frameworks).

MIT License

53 stars 14 forks source link

Use alternative serializer #6

Open namelessjon opened 11 years ago

namelessjon commented 11 years ago

a la https://gist.github.com/mattetti/7624413

tl;dr: encrypted_cookie currently serializes via marshall. This means that anyone who discovers the session secret probably has remote code execution on the application. Which is pretty bad, obviously.

mkristian commented 11 years ago

personally I store a Hash with primitive in my session. so a json or (safe_)yaml would just do fine. via some config/options or so !!

namelessjon commented 10 years ago

several months elapse\

One snag in implementing this easily is the expiry time which was added. With e.g. JSON.dump, this is serialised to something like "2014-08-15 14:46:26 UTC" and then on JSON.load it is returned as a string, which can't be compared with the Time.

Options

Add a check in the expiry code to Time.parse if given a string.
Write some new JSON and/or YAML based serialiser which converts everything to primitives.
Something else?

tonytonyjan commented 7 years ago

Since the project seems no longer under maintained, I built another one: https://github.com/tonytonyjan/rack_encrypted_cookie

It's built on top of Rack::Session::Cookie, so you can customize the :coder as well, for example:

use Rack::Session::EncryptedCookie, secret: 'tonytonyjan', coder: Rack::Session::Cookie::Base64::JSON.new

There are 3 built -in serializers (coders) so far:

puts Rack::Session::Cookie::Base64.constants
# => [:Marshal, :JSON, :ZipJSON]